Nmap issue

[skull2006]

hi all,

i don't know why when i try make scan to my VBOX (Win XP) i have this line below when i use NMAP:

Discovered open port 21/tcp on 10.10.10.111

and If i use Nessus it's show me the port 21 is open but no more details.

by the way i have it even if i reinstall new VBOX (Win XP).

may some one have idea about it.

Best Regards,

[sickness]

Please give us some more detail, like the nmap command you use, the output it gives, some Nessus policy, what about the Windows XP machine ? Did you try another OS on virtualbox ?

[skull2006]

Please give us some more detail, like the nmap command you use, the output it gives, some Nessus policy, what about the Windows XP machine ? Did you try another OS on virtualbox ?

sickness, I use the normal command : nmap -v 10.10.10.10 and it give me there is port 21 is open see below :

PORT STATE SERVICE
21/tcp open ftp
135/tcp filtered msrpc
139/tcp open netbios-ssn
445/tcp filtered microsoft-ds

and i'm sure i didn't open port 21 in my VBOX and about Nessus it show me SVC Name = ftp? and Total port = 0.

yes @sickness i try another PC even in the real world it show me that.

so did you have any idea about that.

Best Regards,

[skidmarq]

Why not log into the Windows box and perform a "netstat -bnv | find "21"" command.

This should tell you the process attached to that daemon.

You can also add a "--reason" argument to your Nmap scan to see why it reports it as open (typically SYN-ACK).

[skull2006]

Why not log into the Windows box and perform a "netstat -bnv | find "21"" command.

This should tell you the process attached to that daemon.

You can also add a "--reason" argument to your Nmap scan to see why it reports it as open (typically SYN-ACK).

i try but i don't find anything. check this :

root@skull:~# nmap -v 192.168.0.1 --reason

Starting Nmap 5.21 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2010-07-03 02:21 CEST
Initiating ARP Ping Scan at 02:21
Scanning 192.168.0.1 [1 port]
Completed ARP Ping Scan at 02:21, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:21
Completed Parallel DNS resolution of 1 host. at 02:21, 0.12s elapsed
Initiating SYN Stealth Scan at 02:21
Scanning 192.168.0.1 [1000 ports]
Discovered open port 80/tcp on 192.168.0.1
Discovered open port 21/tcp on 192.168.0.1
Discovered open port 443/tcp on 192.168.0.1
Discovered open port 5101/tcp on 192.168.0.1
Completed SYN Stealth Scan at 02:21, 4.05s elapsed (1000 total ports)
Nmap scan report for 192.168.0.1
Host is up, received arp-response (0.0023s latency).
Not shown: 996 filtered ports
Reason: 996 no-responses
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
80/tcp open http syn-ack
443/tcp open https syn-ack
5101/tcp open admdog syn-ack
MAC Address: 00:17:C4:20:EB:15 (Quanta Microsystems)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.39 seconds
Raw packets sent: 1999 (87.954KB) | Rcvd: 7 (306B)
root@skull:~# ftp 192.168.0.1
Connected to 192.168.0.1.
421 Service not available, remote server has closed connection
ftp>

[skidmarq]

What about the Windows side command I asked you to try?

[Gitsnik]

Also, just as a curiosity, why do the host IP's keep changing?

[skull2006]

What about the Windows side command I asked you to try?

I really made the netstat -aon |finn *** but nothing about FTP or Port 21.

And i try it to my work real IP:

root@skull:~# nmap -v -O 6*.**.**.*** -p21 -A ant the result is this::

Host is up (0.039s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

even nessus show me the ? in every IP i make scan on it so why the FTP keep noise me.

Regards,

[skull2006]

Also, just as a curiosity, why do the host IP's keep changing?

i just change the ip in the scan command even if the ip is off check this :

nmap -v 192.168.1.111 -Pn

Starting Nmap 5.35DC1 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2010-08-27 21:55 EET
Initiating Parallel DNS resolution of 1 host. at 21:55
Completed Parallel DNS resolution of 1 host. at 21:55, 0.18s elapsed
Initiating SYN Stealth Scan at 21:55
Scanning 192.168.1.111 [1000 ports]
Discovered open port 21/tcp on 192.168.1.111
Completed SYN Stealth Scan at 21:55, 4.24s elapsed (1000 total ports)
Nmap scan report for 192.168.1.111
Host is up (0.0021s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
21/tcp open ftp

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.57 seconds
Raw packets sent: 2002 (88.088KB) | Rcvd: 4 (176B)


I don't have that ip in my network or in 5 kilometer around of me.

[skull2006]

this is maybe will clear the air:
this is to public ip.........

root@Skull:~# ftp 1.1.1.1
Connected to 1.1.1.1.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 21:19. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (1.1.1.1:root): anonymous
331 Any password will work
Password:
230 Any password will work
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 I won't open a connection to 10.10.10.10 (only to myrealip)
ftp: bind: Address already in use
ftp>

so any one can explain to me and he must read all the posts.